[oss-security] Issue with AWS-LC: an open-source, general-purpose cryptographic library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338)

Tue, 03 Mar 2026 10:11:18 -0800 

Via AWS Security Bulletin

https://github.com/aws/aws-lc

----- Forwarded message from "Latest Bulletins: Amazon Web Services" 
<[email protected]> -----

> Date: Tue, 03 Mar 2026 09:30:01 -0000
> From: "Latest Bulletins: Amazon Web Services" <[email protected]>
> To: [email protected]
> Subject: Issue with AWS-LC: an open-source, general-purpose cryptographic
>       library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338)
> 
> **Bulletin ID:** 2026-005-AWS  
> **Scope:** AWS  
> **Content Type:** Important (requires attention)  
> **Publication Date:** 2026/03/02 14:30 PM PST
> 
> **Description:**
> 
> AWS-LC is an open-source, general-purpose cryptographic library. We identified
> three distinct issues:
> 
> \- CVE-2026-3336: PKCS7_verify Certificate Chain Validation Bypass in AWS-LC  
> Improper certificate validation in PKCS7_verify() in AWS-LC allows an
> unauthenticated user to bypass certificate chain verification when processing
> PKCS7 objects with multiple signers, except the final signer.  
> \- CVE-2026-3337: Timing Side-Channel in AES-CCM Tag Verification in AWS-LC  
> Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an
> unauthenticated user to potentially determine authentication tag validity via
> timing analysis.  
> \- CVE-2026-3338: PKCS7_verify Signature Validation bypass in AWS-LC  
> Improper signature validation in PKCS7_verify() in AWS-LC allows an
> unauthenticated user to bypass signature verification when processing PKCS7
> objects with Authenticated Attributes.
> 
> **Impacted versions:**
> 
> \- PKCS7_verify Certificate Chain Validation Bypass in AWS-LC >= v1.41.0, <
> v1.69.0  
> \- PKCS7_verify Certificate Chain Validation Bypass in aws-lc-sys >= v0.24.0,
> < v0.38.0  
> \- Timing Side-Channel in AES-CCM Tag Verification in AWS-LC >= v1.21.0, <
> v1.69.0  
> \- Timing Side-Channel in AES-CCM Tag Verification in AWS-LC >= AWS-LC-
> FIPS-3.0.0, < AWS-LC-FIPS-3.2.0  
> \- Timing Side-Channel in AES-CCM Tag Verification in aws-lc-sys >= v0.14.0, <
> v0.38.0  
> \- Timing Side-Channel in AES-CCM Tag Verification in aws-lc-sys-fips >=
> v0.13.0, < v0.13.12  
> \- PKCS7_verify Signature Validation bypass in AWS-LC >= v1.41.0, < v1.69.0  
> \- PKCS7_verify Signature Validation bypass in aws-lc-sys >= v0.24.0, <
> v0.38.0
> 
> **Please refer to the article below for the most up-to-date and complete
> information related to this AWS Security Bulletin.**
> 
> 
> 
> URL: https://aws.amazon.com/security/security-bulletins/rss/2026-005-aws/

----- End forwarded message -----

Reply via email to